U.S. patent application number 10/679606 was filed with the patent office on 2004-07-15 for mission-centric network defense system (mcnds).
Invention is credited to Barrett, George R., Lee, Susan C..
Application Number | 20040136378 10/679606 |
Document ID | / |
Family ID | 32717233 |
Filed Date | 2004-07-15 |
United States Patent
Application |
20040136378 |
Kind Code |
A1 |
Barrett, George R. ; et
al. |
July 15, 2004 |
Mission-centric network defense system (MCNDS)
Abstract
The Mission Centric Network Defense System (MCNDS) is a
deployable network defense system that monitors network activities,
generates and maintains situational awareness of operational
activities, and uses this joint situational awareness of networked
and operational activities to predict the mission impact of
alterations and disruptions of networked resources. The MCNDS uses
its predictive capability to rank information operation (IO)
courses-of-action (COAs) and interpret network alarms and intrusion
detections in terms of expected operational mission impact.
Inventors: |
Barrett, George R.; (Silver
Spring, MD) ; Lee, Susan C.; (Columbia, MD) |
Correspondence
Address: |
Office of Patent Counsel
The Johns Hopkins University
Applied Physics Laboratory
11100 Johns Hopkins Road
Laurel
MD
20723-6099
US
|
Family ID: |
32717233 |
Appl. No.: |
10/679606 |
Filed: |
October 2, 2003 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60415437 |
Oct 2, 2002 |
|
|
|
Current U.S.
Class: |
370/395.2 ;
370/235 |
Current CPC
Class: |
H04L 43/0817 20130101;
H04L 63/1408 20130101; H04L 43/00 20130101 |
Class at
Publication: |
370/395.2 ;
370/235 |
International
Class: |
H04L 012/56 |
Claims
What is claimed is:
1. A method for network defense, comprising the steps of: detecting
mission events by processing communications packets and traffic
streams; forming mission tracks by processing said mission events;
estimating mission sensitivities by processing said mission tracks;
prioritizing network operations by processing said mission
sensitivities; and correlating network alarms to missions by
processing said mission sensitivities, wherein said steps include a
database of dynamic and a priori information.
2. The method of claim 1 wherein the step of detecting mission
events by processing communications packets comprises of: receiving
said communications packets; extracting said communicated
information from said communication packets and traffic streams;
creating homogenous information packages, from said communicated
information; detecting mission events by processing said
homogeneous information package;
3. The method of claim 1, wherein the step of forming mission
tracks by processing said mission events comprises: determining
active mission types, using said mission events; determining state
of each mission, using said mission events, including producing a
mission state vector for each mission;
4. The method of claim 1, wherein the step of estimating mission
sensitivities by processing said mission tracks comprises
estimating mission sensitivity to network perturbations, using
mission tracks.
5. The method of claim 1, wherein prioritizing network operations
by processing said mission sensitivities comprises ordering said
list of network operations by comparing said mission
sensitivities.
6. The method of claim 1, wherein the step of correlating network
alarms to missions by processing said mission sensitivities
comprises creating a list of relationships between each network
alarm and each mission using said mission sensitivity values.
7. The method of claim 4, wherein network perturbations comprise
modifications to network devices, protocols, policies, or
architecture through network management courses of actions.
8. The method of claim 4, wherein network perturbations comprise
modifications to network devices, protocols, policies, or
architecture through attacks on network devices, protocols,
policies, or architecture.
9. The method of claim 1, wherein said database of dynamic and a
priori information comprises: providing a database of performance
statistics and observation logs from earlier missions; providing a
set of prespecified mission types; for each mission type, providing
a set of prespecified mission states; for each mission type,
providing a set of prespecified mission events; providing a set of
prespecified network perturbations; providing a set of weighted
mappings from network components to mission states; providing a set
of weighted mappings from network components to mission events;
providing a set of mappings from network perturbations to network
components; providing a set of prespecified network alarms;
providing a rule base for updating, adapting, and modifying mission
types, mission states, mission events, network perturbations,
network alarms, and mappings using said performance statistics and
observation logs.
10. The method of claim 2, wherein said communicated information
comprises packet source information, destination addresses and port
information.
11. The method of claim 2, wherein the step of extracting said
communicated information comprises scanning said communicated
packets as an unstructured data stream.
12. The method of claim 2, wherein the step of extracting said
communicated information comprises comparing traffic sream
characteristics to known usage patterns.
13. The method of claim 3, wherein the active mission types are
determined through the use of a HMM.
14. The method of claim 3, wherein the state of each mission is
determined through the use of a HMM.
15. The method of claim 13, wherein mission HMM component
determination comprises combining performance statistics from
earlier missions with an Operational Sequence Diagram.
16. The method of claim 14, wherein mission HMM component
determination comprises combining performance statistics from
earlier missions with an Operational Sequence Diagram.
17. The method of claim 3, wherein the step of determining said
active mission types is performed inductively.
18. The method of claim 17, wherein the step of determining said
active mission types inductively, is through the use of the forward
algorithm.
19. The method of claim 4, further comprising the steps of: using a
system dynamics model and a set of network perturbations to produce
a nominal version of the mission state at k+1 and a perturbed
version of the mission state at k+1; propagating out the nominal
version of the mission state at k+1 and the perturbed version of
the mission state at k+1, to a computation horizon; and computing
the difference between the overall mission effectiveness along the
nominal version of the mission state and the perturbed version of
the mission state.
20. The method of claim 4, wherein the step of estimating mission
sensitivity to network perturbations comprises using a closed-form
expression to compute mission sensitivities.
21. The method of claim 19, wherein said set of network
perturbations comprises a set of alternative network operation
COAs.
22. The method of claim 19, wherein said set of network
perturbations comprises a set of attacks on network devices,
protocols, policies, and architecture.
23. The method of claim 20, wherein said set of network
perturbations comprises a set of alternative network operation
COAs.
24. The method of claim 20, wherein said set of network
perturbations comprises a set of attacks on network devices,
protocols, policies, and architecture.
25. The method of claim 5, wherein network operations comprise
modifications to network devices, protocols, policies, or
architecture through network management courses of actions.
26. The method of claim 5, wherein network operations comprise
modifications to network devices, protocols, policies, or
architecture through attacks on network devices, protocols,
policies, or architecture.
27. The method of claim 6, wherein the list of relationships
between each network alarm and each mission is constrained by
numerical thresholds on said mission sensitivities.
28. The method of claim 6, wherein network alarms comprise messages
indicating failures in network devices, protocols, policies, or
architecture.
29. The method of claim 6, wherein network alarms comprise messages
indicating detection of network intrusions.
30. The method of claim 19, wherein said system dynamics model is a
HMM.
31. The method of claim 21, wherein said system dynamics model is a
HMM.
32. The method of claim 22, wherein said system dynamics model is a
HMM.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of provisional U.S.
application Ser. No. 60/415437, filed on Oct. 2, 2002, the entire
contents of which are hereby incorporated by reference as if fully
disclosed herein.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The present invention relates to a network defense system.
More specifically, it relates to a deployable network defense
system that monitors both network and operational activities, and
predicts the mission impact of alterations and disruptions of
networked resources.
[0004] 2. Description of the Related Art
[0005] In both the commercial and military domains, systems are
becoming increasingly networked. The power of networking is
apparent through the potential for increased quantity and quality
of information available for decision-makers and more efficient use
of resources. At the same time, the increased complexity of
networked approaches leads to several pressing needs. Some of these
needs include robust systems, both to internal faults and to
attacks from outside the network, as well as analysis to understand
the impact of the system's degradation to its overall mission
effectiveness.
SUMMARY OF THE INVENTION
[0006] The Mission Centric Network Defense System (MCNDS) is
related to a deployable network defense system that monitors
network activities, generates and maintains situational awareness
of operational activities, and uses this joint situational
awareness of networked and operational activities to predict the
mission impact of alterations and disruptions of networked
resources. The MCNDS uses predictive capability to rank defensive
information operation (IO) courses-of-action (COAs) as well as
interpret network alarms and intrusion detections in terms of
expected operational mission impact. IO and operational commanders
may use MCNDS to monitor and understand how their networks are
supporting various missions and how actions taken on their networks
impact their missions.
[0007] It is an object of the invention disclosed herein to provide
dynamic, constantly maintained awareness of the actual current
status of both the network and the mission.
[0008] It is a further object of the invention disclosed herein to
use awareness of the actual current state of both the network and
the mission to predict the mission impact of alterations and
disruptions of networked resources, in general, and to provide
mission relevant correlations of network alarms and intrusion
detections in particular.
[0009] It is yet another object of the invention disclosed herein
to predict the mission impact of network perturbations in general,
and in one embodiment particular, to prioritize defensive
information operation (IO) courses-of-action (COAs) with respect to
expected impact on operational effectiveness.
[0010] These and other objects and advantages of the present
invention will be fully apparent from the following description,
when taken in connection with the annexed drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] The teachings of the present invention can be readily
understood by considering the following detailed description in
conjunction with the accompanying drawings, in which:
[0012] FIG. 1 is a block diagram depicting an embodiment of the
functional architecture of the MCNDS;
[0013] FIG. 2 is a graph showing an example mission state
probability over time;
[0014] FIG. 3 depicts a method of determining mission sensitivity
and performing mission impact prediction;
[0015] FIG. 4 depicts an example of a deployed force architecture
with an Air Tasking Order (ATO) generation mission; and
[0016] FIG. 5. is a graph illustrating an example set of
sensitivity curves over time for the ATO generation mission.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
[0017] FIG. 1 depicts an embodiment for the MCNDS. Interface
sensors 102 at select network node(s) can provide both network and
mission data. Both network health and the operational situation
being supported by the network are monitored by extracting relevant
information from packet and traffic patterns. Relevant information
can include packet sources, destinations and ports, but can also
include any other information deemed relevant to the network or
mission. In this case, the packet flows may be scanned as an
unstructured data stream.
[0018] Mission event detection 104 is performed by combining the
information from the interface sensors. Once the mission events are
detected, they are combined with knowledge of the mission types,
and missions can be correlated and tracked 106. Mission tracking in
the current context means determining which missions are active and
the state of each mission. For this, a set of mission types is
assumed (e.g. Call-For-Fire, TCS, Ship-To-Objective-Maneuver, Air
Defense). Missions may be modeled using stochastic models (e.g.,
Hidden Markov Models, HMMs), that is, processes that have both
stochastic transition behavior and stochastic output maps. Given
the observed event sequence, the process of determining which
mission types, with high probability, would most likely have
generated the event may be performed inductively. For Hidden Markov
Models, a fast algorithm that successful implements the induction
is known as the "forward algorithm".
[0019] The forward algorithm can process the sequence of observed
variables o.sub.1,o.sub.2, . . . ,o.sub.t using the model for each
mission type k given by the data
M.sup.k.ident.(A.sup.k,C.sup.k,.pi..sub.- 0.sup.k). These are the
state transition matrix, the observation matrix, and the initial
probability vector for mission k. The forward variable at time t
for mission k is denoted by .alpha..sub.t.sup.k, and is the joint
probability of a given sequence of observations and a particular
state given model M.sup.k. The i-th component is given by
.alpha..sub.t.sup.k(i)=Pr(O.sub.1=o.sub.1,O.sub.2=o.sub.2, . . .
,O.sub.t=o.sub.t,s.sub.t=i.vertline.M.sup.k), and the inductive
procedure for computing .alpha..sub.t.sup.k is as follows:
.alpha..sub.1.sup.k=.pi..sub.0(i)c.sub.o.sup..sub.t.sub.i,
.A-inverted.i
[0020] 1 t + 1 k ( i ) = ( j t k ( j ) a ij k ) c o t + i i k ,
[0021] where a.sub.ij.sup.k is the ij-th entry of A.sup.k and
C.sub.o.sup..sub.t+1.sub.i.sup.k is the o.sub.t+1,i.sup.th entry of
C.sup.k. Once the forward variable has been computed, we have 2 Pr
( O 1 = o 1 , O 2 = o 2 , , O t = o t , M k ) = j t k ( j ) ,
[0022] where t is the terminal time, and this indicates the
probability that mission k is active given the sequence of observed
variables. A primary architectural product that has successfully
been shown to allow effective mission tracking using HMMs is an
operational sequence diagram (OSD) that describes which operational
enterprise systems are communicating with each other, when, and in
what order.
[0023] Sensitivity analysis 108 is then performed. The impact of
network perturbations, e.g. intrusion detections 110, on the
mission may be estimated, and correlated intrusions and alarms 116
can be determined. Mission sensitivity to various network
perturbations may also be determined. One particularly important
type of network perturbation is the implementation of an
alternative network-operations COA 112. In this case, COAs may be
prioritized 114 according to their contribution to overall mission
performance.
[0024] FIG. 2 depicts an approach to determining the mission state.
In this example, the mission states are categorized as detect,
decide, engage, and assess. A sample realization of observed events
is generated and passed into the Hidden Markov Model (HMM) tracker.
The probability vectors generated from the tracker vary over time
and are shown in FIG. 2. During operations, the state probability
vector for the current time is passed to the sensitivity analyzer
as the initial condition used to start its analysis.
[0025] FIG. 3 depicts a method of determining mission sensitivity
and performing mission impact prediction. The inputs are the
mathematical objects provided by the network operational awareness
function of the MCNDS. Given a mathematical model such as an HMM,
the basic approach to sensitivity analysis is shown. The process is
to take the state of the system at time increment k (300) and to
produce two descendents. The first descendent 312 is the nominal
version for time increment k+1, and the second descendent 314 is a
perturbed (due to attack, failure, or reallocation) version for
time. increment k+1. Both versions are then propagated forward in
time, using nominal dynamics models out to some computation
horizon, N. The difference between the overall mission
effectiveness along both paths, the nominal path 310 and the
perturbed path 320, is computed resulting in a sensitivity
estimate. The estimate of mission sensitivity is with respect to
the specific perturbation and the specific time at which the
perturbation is injected into the path. By varying the system that
is perturbed and the time at which the perturbation occurs, a more
complete estimate of mission sensitivity is constructed.
[0026] FIG. 4 depicts an example embodiment of a deployed force
that must deal with IO attacks during a specific mission, Air
Tasking Order generation. Coordination is required between the
ships 402, the JTF Commander 404, the Air Operations Center 410,
and the Wing Operations Center 408. Communications networks
included MILNET 410 and internet 412. Compromises were considered
in three components: an email server, a planning database server,
and a domain name server.
[0027] Performing sensitivity analysis on the ATO generation
mission results in the curves shown in FIG. 5. As can be easily
seen in FIG. 5, mission sensitivity can vary greatly depending on
which network components are compromised, and at what point in time
they are impacted. This underscores the need to understand the
mission sensitivities in order to make appropriate decisions and
undertake the best courses of action.
[0028] In one embodiment of the present invention in a Naval
scenario, the Naval operations (N3) user at the Tactical Flag
Command Center (TFCC) will have available the MCNDS Command and
Control (C2) Module to monitor which operational alternatives are
at risk due to network perturbations. At the Network Operations
Center (NOC) Naval networking users will have in the present
embodiment the MCNDS C2 module for monitoring the network and
planning network operations while interacting with the Naval
Network Warfare Command (NNWC) and users at a Department of Defense
Regional Network Operations and Security Center (RNOSC). An
additional component of coordination may come from the Fleet
Information Warfare Center (FIWC) to the NOC and the battlegroup
N3. A team of users at FIWC will have in the present embodiment the
MCNDS C2 module for monitoring, prioritizing network operation
COIs, and planning the execution of network operations. MCNDS C2
modules will interface to collaboration tools to provide instant
access between the battlegroup information warfare commander (IWC)
and electronic warfare officer (EWO), and MCNDS users at the FIWC,
NOC, NNWC and RNOSC.
[0029] Although the method according to the present invention has
been described in the foregoing specification with considerable
details, it is to be understood that modifications may be made to
the invention which do not exceed the scope of the appended claims
and modified forms of the present invention done by others skilled
in the art to which the invention pertains will be considered
infringements of this invention when those modified forms fall
within the claimed scope of this invention.
* * * * *